Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Russia Update: Law Increasing Fines for Violation of Data Protection Laws Comes Into Force

Update: On 3 December 2019 the law imposing multi-million Ruble (RUB) fines for infringing Russian data localization and information security laws has come into force. We have retained below our earlier update about the law for informational purposes and to provide context. Since the law has already come into force, new fines may be imposed on companies based on results of the Russian DPA’s (Roskomnadzor) inspections in 2020. Roskomnadzor has already identified the entities it plans to inspect in 2020 but may initiate unplanned inspections as well based, for example, on data subject complaints or its online monitoring of company activity.

On 21 November 2019 a bill imposing multi-million Ruble (RUB) fines for infringing Russian data localization and information security laws passed the last hearing at the State Duma. This likely means that the bill will become the law soon, once it passes the higher chamber of Russia’s Parliament and is singed by the Russian President. The process may take about two weeks.

During the hearings the bill was slightly amended with respect to the minimum fines it would impose. The current version of the bill establishes a minimum fine of RUB 1 million (approx. USD 15,660) for first time violators of the data localization law. The fine for first time violators could reach up to RUB 6 million (approx. USD 93,690). Repeated violations of the data localization law can incur increasing fines with a maximum penalty of RUB 18 million (approx. USD 281,070) for legal entities.

Under Russia’s data localization law,  data operators processing personal data of Russian citizens, whether collected online or offline, are required to process that personal data in databases located within the territory of the Russian Federation (see our past coverage here). With the current level of fines relatively low, the major risk to date for non-compliance has been the risk of having one’s website blocked within Russia. Taking into account the substantial increase of fines, and growing enforcement practice, data operator’s risk calculation may change.

The bill also introduces increased fines for repeated violations of Russia’s Federal law No. 149-FZ of July 27, 2006 “On Information, information technology and protection of information,” in particular:

  1. Repeated failure to register with Roskomnadzor as an organizer of dissemination of information on the Internet may result in an administrative fine from RUB 500,000 (approx. USD 7,830) to RUB 1 million (approx. USD 15,660);
  2. Repeated failure to provide Russian state authorities with information on users and their communications or decryption keys which are necessary to decrypt users’ communications may result in an administrative fine from RUB 2 million (approx. USD 31,330) to RUB 6 million (approx. USD 93,690);
  3. Repeated failure to install equipment required for conducting criminal investigations by Russian state authorities may result in an administrative fine from RUB 2 million (approx. USD 31,330) to RUB 6 million (approx. USD 93,690);
  4. Repeated distribution of a mass media channel not registered in Russia by a video-on-demand service may result in an administrative fine from RUB 700,000 (approx. USD 10,960) to RUB 1 million (approx. USD 15,660);
  5. Repeated failure of a video-on-demand service to provide proper age rating may result in an administrative fine from RUB 500,000 (approx. USD 7,830) to RUB 1 million (approx. USD 15,660);
  6. Repeated distribution of extremist materials by a video-on-demand service may result in an administrative fine from RUB 1 million (approx. USD 15,615) to RUB 5 million (approx. USD 78,320);
  7. Repeated failure to fulfill obligations imposed on instant messengers services may result in an administrative fine from RUB 1 million (approx. USD 15,660) to RUB 2 million (approx. USD 31,330);
  8. Repeated failure of a search engine to fulfill obligation to connect to the Register of the websites blocked in Russia may result in an administrative fine from RUB 1 million (approx. USD 15,660) to RUB 5 million (approx. USD 78,320);
  9. Repeated failure of a search engine to exclude websites blocked in Russia from its search results may result in an administrative fine from RUB 1 million (approx. USD 15,660) to RUB 3 million (approx. USD 46,990).

Still only a bill, the new fines schedules are not binding at this stage. To become binding, the bill must pass the higher chamber of the Russian Parliament and be signed by the President. This process could be completed within two weeks.

In the meanwhile, we expect that companies doing business in Russia may wish to take a look at their compliance with Russian data protection and localization law in order to mitigate the risks of increased fines or revisit previously made risk assessments once the bill is adopted into Russian law.

 

Natalia Spitsyna, an intern in our Moscow office, contributed to this entry.